Monthly Archives: February 2013

New Cyber Defense rules and policies ignore the reality: End users are lazy

In the past few weeks both the EU Commission and White House have come out with commentary and rules in response to the rise of cyber-attacks. There is growing awareness that cyber security is becoming a political and business necessity. While encryption technology has been used for decades to deal with the storage and transit of sensitive information most are complex solutions designed by I.T. and security experts to meet specific industry regulations or threats. In general they do the job they were designed for, however they overlook one massive reality.

In order to be effective security solutions need to be adopted and used by people who don’t care about security. Most data leaks and privacy breaches are inadvertent; the wrong email address, the wrong attachment. It is more convenient to use basic email, cross your fingers and hit send then log into some other product to send sensitive information. To ensure adoption any security solution being deployed must complement the tools end users already use, not complicate them.

For I.T. and Security teams it is crucial that any deployed security solution work seamlessly across an increasingly complex reality of hosted and on-premise email platforms, corporate and personal mobility devices and avoid traditional encryption solutions that require certificates, keys to manage and changes to everyday email. Governments and regulators can create new rules and policies to defend against cyber threats but until solutions are designed for distracted end users who don’t want to learn anything new information is at risk.

http://europa.eu/rapid/press-release_IP-13-94_en.htm

EU Cybersecurity plan to protect open internet and online freedom and opportunity

Brussels, 7 February 2013 – EU Cybersecurity plan to protect open internet and online freedom and opportunity.

The European Commission, together with the High Representative of the Union for Foreign Affairs and Security Policy, has published a cybersecurity strategy alongside a Commission proposed directive on network and information security (NIS).

The cybersecurity strategy – “An Open, Safe and Secure Cyberspace” – represents the EU’s comprehensive vision on how best to prevent and respond to cyber disruptions and attacks. This is to further European values of freedom and democracy and ensure the digital economy can safely grow. Specific actions are aimed at enhancing cyber resilience of information systems, reducing cybercrime and strengthening EU international cyber-security policy and cyber defence.

The strategy articulates the EU’s vision of cyber-security in terms of five priorities:

  • Achieving cyber resilience
  • Drastically reducing cybercrime
  • Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP)
  • Developing the industrial and technological resources for cyber-security
  • Establishing a coherent international cyberspace policy for the European Union and promoting core EU values

The EU international cyberspace policy promotes the respect of EU core values, defines norms for responsible behaviour, advocates the application of existing international laws in cyberspace, while assisting countries outside the EU with cyber-security capacity-building, and promoting international cooperation in cyber issues.

The EU has made key advances in better protecting citizens from online crimes, including establishing a European Cybercrime Centre (IP/13/13), proposing legislation on attacks against information systems (IP/10/1239) and the launch of a Global Alliance to fight child sexual abuse online (IP/12/1308). The Strategy also aims at developing and funding a network of national Cybercrime Centers of Excellence to facilitate training and capacity building.

The proposed NIS Directive is a key component of the overall strategy and would require all Member States, key internet enablers and critical infrastructure operators such as e-commerce platforms and social networks and operators in energy, transport, banking and healthcare services to ensure a secure and trustworthy digital environment throughout the EU. The proposed Directive lays down measures including:

(a) Member State must adopt a NIS strategy and designate a national NIS competent authority with adequate financial and human resources to prevent, handle and respond to NIS risks and incidents;

(b) Creating a cooperation mechanism among Member States and the Commission to share early warnings on risks and incidents through a secure infrastructure, cooperate and organise regular peer reviews;

(c) Operators of critical infrastructures in some sectors (financial services, transport, energy, health), enablers of information society services (notably: app stores e-commerce platforms, Internet payment, cloud computing, search engines, social networks) and public administrations must adopt risk management practices and report major security incidents on their core services.

Neelie Kroes, European Commission Vice-President for the Digital Agenda said:

“The more people rely on the internet the more people rely on it to be secure. A secure internet protects our freedoms and rights and our ability to do business. It’s time to take coordinated action – the cost of not acting is much higher than the cost of acting.”

Catherine Ashton, High Representative of the Union for Foreign Affairs and Security Policy/Vice-President of the Commission said:

“For cyberspace to remain open and free, the same norms, principles and values that the EU upholds offline, should also apply online. Fundamental rights, democracy and the rule of law need to be protected in cyberspace. The EU works with its international partners as well as civil society and the private sector to promote these rights globally.”

Cecilia Malmström, EU Commissioner for Home Affairs said:

“The Strategy highlights our concrete actions to drastically reduce cybercrime. Many EU countries are lacking the necessary tools to track down and fight online organised crime. All Member States should set up effective national cybercrime units that can benefit from the expertise and the support of the European Cybercrime Centre EC3.”

Background

Cyber-security incidents are increasing in frequency and magnitude, becoming more complex and know no borders. These incidents can cause major damage to safety and the economy. Efforts to prevent, cooperate and be more transparent about cyber incidents must improve.

Previous efforts by the European Commission and individual Member States have been too fragmented to deal with this growing challenge.

Facts about cybersecurity today

  • There are an estimated 150,000 computer viruses in circulation every day and 148,000 computers compromised daily.
  • According to the World Economic Forum, there is an estimated 10% likelihood of a major critical information infrastructure breakdown in the coming decade, which could cause damages of $250 billion.
  • Cybercrime causes a good share of cyber-security incidents, Symantec estimates that cybercrime victims worldwide lose around €290 billion each year, while a McAfee study put cybercrime profits at €750 billion a year.
  • The 2012 Eurobarometer poll on cyber security found that 38 % of EU internet users have changed their behaviour because of these cyber-security concerns: 18 % are less likely to buy goods online and 15 % are less likely to use online banking. It also shows that 74% of the respondents agreed that the risk of becoming a victim has increased, 12% have already experienced online fraud and 89% avoid disclosing personal information.
  • According to the public consultation on NIS, 56.8% of respondents had experienced over the past year NIS incidents with a serious impact on their activities.
  • Meanwhile, Eurostat figures show that, by January 2012, only 26% of enterprises in the EU had a formally defined ICT security policy.

FINRA fines highlights compliance problems with traditional encryption products

The $1.2 million dollar fine levied by FINRA against ING and its affiliates yesterday brings to light compliance problems with traditional encryption solutions long recognized but tolerated in the finance sector. The announcement stated that the firms “..failed to set up systems to retain certain types of encrypted emails” and therefore the messages were not available to review.

Much of the frustration around traditional encryption solutions (beyond the end user experience) relates to the creation of a secondary email repository. Even when firms, like ING, make best efforts to put encryption and message archiving solutions in place the two solutions are not compatible. There are keys and certificates to manage, and when used together the archive gets filled with encrypted messages that cannot be reviewed or audited.

Email2 has solved these important compliance challenges and is the only encryption solution that will work with any archive / eDiscovery system ensuring that regardless of whether email is on-premise, hosted, or a hybrid of both, all secure messages are available decrypted for audit and eDiscovery purposes (therefore compliant with the recordkeeping provisions of the federal securities laws and FINRA rules, and supervisory requirements under FINRA rules).

Original post: http://www.finra.org/newsroom/newsreleases/2013/p207604

FINRA Fines Five ING Firms $1.2 Million for Email Retention and Review Violations

WASHINGTON — The Financial Industry Regulatory Authority (FINRA) announced today that it has fined five affiliates of ING $1.2 million for failing to retain or review millions of emails for periods ranging from two months to more than six years. The five firms, indirect subsidiaries of ING Groep N.V., are Directed Services, LLC; ING America Equities, Inc.; ING Financial Advisers, LLC; ING Financial Partners, Inc.; and ING Investment Advisors, LLC.

Brad Bennett, Executive Vice President and Chief of Enforcement, said, “As a result of broad systemic failures, these firms failed to capture and retain emails from hundreds of representatives and other associated persons, and failed to take adequate steps to ensure that their principals were fulfilling their responsibilities to review emails. Email retention and review continues to be an important regulatory responsibility and an issue of concern for FINRA.”

FINRA found that the firms failed to properly configure hundreds of employee email accounts to ensure that the emails sent to and from those accounts were retained and reviewed at various times between 2004 and 2012. In addition, four of the firms failed to set up systems to retain certain types of emails, such as emails using alternative email addresses, emails sent to distribution lists, emails received as blind carbon copies, encrypted emails and “cloud” email (emails sent through third-party systems). As a result of these failures, emails sent to and from hundreds of employees and associated persons were not retained; and because the emails were not retained, they were not subject to supervisory review.

In addition, four of the firms failed to review millions of emails that the firms’ email review software had flagged for supervisory review. At various times between January 2005 and May 2011, nearly six million emails flagged for review went unreviewed by supervisory principals because the email review software was not properly configured.

In concluding the settlement, the firms neither admitted nor denied the charges, but consented to the entry of FINRA’s findings. FINRA found that the firms violated the recordkeeping provisions of the federal securities laws and FINRA rules, and supervisory requirements under FINRA rules.

FINRA also ordered the firms to conduct a comprehensive review of their systems for the capture, retention and review of email, and to subsequently certify that they have established procedures reasonably designed to address and correct the violations.

FINRA’s investigation was conducted by the Departments of Enforcement and Member Regulation.

Investors can obtain more information about, and the disciplinary record of, any FINRA-registered broker or brokerage firm by using FINRA’s BrokerCheck. FINRA makes BrokerCheck available at no charge. In 2012, members of the public used this service to conduct 14.6 million reviews of broker or firm records. Investors can access BrokerCheck at www.finra.org/brokercheck or by calling (800) 289-9999. Investors may find copies of this disciplinary action as well as other disciplinary documents in FINRA’s Disciplinary Actions Online database.

FINRA, the Financial Industry Regulatory Authority, is the largest independent regulator for all securities firms doing business in the United States. FINRA is dedicated to investor protection and market integrity through effective and efficient regulation and complementary compliance and technology-based services. FINRA touches virtually every aspect of the securities business – from registering and educating all industry participants to examining securities firms, writing rules, enforcing those rules and the federal securities laws, informing and educating the investing public, providing trade reporting and other industry utilities, and administering the largest dispute resolution forum for investors and firms. For more information, please visit www.finra.org.